[go: up one dir, main page]

CN115208680B - Dynamic network risk prediction method based on graph neural network - Google Patents

Dynamic network risk prediction method based on graph neural network Download PDF

Info

Publication number
CN115208680B
CN115208680B CN202210861878.9A CN202210861878A CN115208680B CN 115208680 B CN115208680 B CN 115208680B CN 202210861878 A CN202210861878 A CN 202210861878A CN 115208680 B CN115208680 B CN 115208680B
Authority
CN
China
Prior art keywords
network
time series
feature map
data
series feature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210861878.9A
Other languages
Chinese (zh)
Other versions
CN115208680A (en
Inventor
吴德胜
李磊
谢云昊
董隽然
黄隆波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Chinese Academy of Sciences
Original Assignee
University of Chinese Academy of Sciences
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Chinese Academy of Sciences filed Critical University of Chinese Academy of Sciences
Priority to CN202210861878.9A priority Critical patent/CN115208680B/en
Publication of CN115208680A publication Critical patent/CN115208680A/en
Application granted granted Critical
Publication of CN115208680B publication Critical patent/CN115208680B/en
Priority to US18/318,882 priority patent/US11934536B2/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/147Network analysis or design for predicting network behaviour
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/16Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Evolutionary Computation (AREA)
  • Artificial Intelligence (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Computational Linguistics (AREA)
  • Medical Informatics (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Databases & Information Systems (AREA)
  • Data Mining & Analysis (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • Mathematical Physics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a dynamic network risk prediction method based on a graph neural network, which comprises the following steps: acquiring network data, constructing a network data sequence diagram, extracting a time sequence of the network data sequence diagram, obtaining a time sequence characteristic diagram, extracting network attribute characteristics, network structure characteristics and network change characteristics, learning a representation vector, obtaining a representation vector of the network data sequence diagram, constructing an anomaly detection model and predicting risks of a dynamic network; the time sequence characteristic diagram is modeled by using the diagram neural network, the structural characteristics and the attribute characteristics of the network can be extracted at the same time, so that more abnormal conditions can be excavated, the change of the dynamic network is modeled by introducing the long and short circuit memory network, the abnormality on the network change is considered in the risk prediction engineering, the accuracy of dynamic network risk prediction is improved, the actual abnormality in the network can be excavated, the prediction process is easy to operate, and the controllability is high.

Description

一种基于图神经网络的动态网络风险预测方法A Dynamic Network Risk Prediction Method Based on Graph Neural Network

技术领域technical field

本发明涉及网络风险预测技术领域,尤其涉及一种基于图神经网络的动态网络风险预测方法。The invention relates to the technical field of network risk prediction, in particular to a dynamic network risk prediction method based on a graph neural network.

背景技术Background technique

网络是由若干节点和连接这些节点的链路构成,表示多个对象之间的相互联系,在网络结构中,一个子结点可以有两个或多个父结点,同时在两个结点之间可以有两种或多种联系,网络结构数据实质上是层次结构的延伸,网络结构数据因为其强大的表示能力,在近年来得到广泛关注,现实生活中的网络分为静态网络和动态网络,其中静态网络不随时间变化而变化,而动态网络却会随时间进行动态变化,在动态网络中可能存在一些变化规律或特征因异常的元素,如具有攻击行为的通信。The network is composed of several nodes and links connecting these nodes, which represent the interconnection between multiple objects. In the network structure, a child node can have two or more parent nodes, and at the same time two nodes There can be two or more connections between them. Network structure data is essentially an extension of the hierarchical structure. Network structure data has received extensive attention in recent years because of its powerful representation capabilities. Networks in real life are divided into static networks and dynamic networks. In the network, the static network does not change with time, but the dynamic network will change dynamically with time. In the dynamic network, there may be some elements with changing rules or abnormal characteristics, such as communication with attack behavior.

图神经网络是一种新型的人工智能神经网络,其输入为图结构数据,输出为表征向量,用于表示对性质特征的高度概括,由于图神经网络可以有效学习与挖掘数据的属性信息与结构特征,以端到端的方式解决与图数据相关的任务,因而在图数据分析处理的相关应用中得到了广泛的使用。Graph neural network is a new type of artificial intelligence neural network. Its input is graph structure data, and its output is representation vector, which is used to represent a high-level summary of property characteristics. Because graph neural network can effectively learn and mine the attribute information and structure of data features, solve tasks related to graph data in an end-to-end manner, and thus have been widely used in related applications of graph data analysis and processing.

为了维护动态网络的稳定,需要对动态网络进行风险预测以提前防御网络攻击,而现有的动态网络异常风险预测方法大都效率较低,无法同时提取网络的结构特征和属性特征,从而不能全面检测出的网络异常情况,且现有的风险预测方法在风险预测过程中没有考虑到网络变化上的异常,进而对网络异常风险预测的精度造成不好的影响,降低了动态网络风险预测的准确度,不便于进行网络防御的提前部署,而目前将图神经网络应用于网络异常检测的研究还不够深入,无法对动态网络的风险预测带来实质性的帮助,因此,本发明提出一种基于图神经网络的动态网络风险预测方法以解决现有技术中存在的问题。In order to maintain the stability of the dynamic network, it is necessary to predict the risk of the dynamic network to prevent network attacks in advance. However, most of the existing dynamic network anomaly risk prediction methods are inefficient and cannot extract the structural characteristics and attribute characteristics of the network at the same time, so they cannot be fully detected. In addition, the existing risk prediction methods do not take into account the abnormality of network changes in the risk prediction process, which has a negative impact on the accuracy of network abnormality risk prediction and reduces the accuracy of dynamic network risk prediction. , it is not convenient to deploy network defense in advance, and the current research on the application of graph neural network to network anomaly detection is not deep enough to bring substantial help to the risk prediction of dynamic networks. Therefore, the present invention proposes a graph-based A neural network dynamic network risk prediction method to solve the problems existing in the prior art.

发明内容Contents of the invention

针对上述问题,本发明的目的在于提出一种基于图神经网络的动态网络风险预测方法,该方法通过使用图神经网络对时序特征图进行建模,能够同时提取网络的结构特征和属性特征,从而能够挖掘出更多的异常情况,通过引入长短路记忆网络来对动态网络的变化进行建模,从而在风险预测工程中考虑了网络变化上的异常,进而提升了动态网络风险预测的准确度,并能够挖掘网络中存在的有实际意义的异常,解决了传统网络风险预测方法准确度较低,效率不高的问题。In view of the above problems, the purpose of the present invention is to propose a dynamic network risk prediction method based on a graph neural network, which can simultaneously extract the structural features and attribute features of the network by using the graph neural network to model the time-series feature graph, thereby It can dig out more abnormal situations, and model the changes of dynamic networks by introducing long-short-circuit memory networks, so that the abnormalities in network changes can be considered in risk prediction engineering, thereby improving the accuracy of dynamic network risk prediction. And it can mine the abnormalities with practical significance in the network, which solves the problems of low accuracy and low efficiency of traditional network risk prediction methods.

为了实现本发明的目的,本发明通过以下技术方案实现:一种基于图神经网络的动态网络风险预测方法,包括以下步骤:In order to achieve the purpose of the present invention, the present invention is achieved through the following technical solutions: a dynamic network risk prediction method based on graph neural network, comprising the following steps:

S1:选定一个时间段,采用零拷贝的报文捕获技术在该时间段内对待预测的动态网络进行网络数据包捕获,再对网络数据包中数据进行标准化处理,然后利用标准化处理后的数据构建网络数据时序图,之后采用图像增强和图像变换的方式对网络数据时序图进行预处理;S1: Select a time period, use zero-copy packet capture technology to capture network data packets of the dynamic network to be predicted within this time period, and then standardize the data in the network data packets, and then use the standardized processed data Construct the network data sequence diagram, and then use image enhancement and image transformation to preprocess the network data sequence diagram;

S2:通过频繁时序子序列挖掘算法提取网络数据时序图的时序序列,再通过提取出的时序序列挖掘出频繁时序子序列,得到网络数据的时序特征图;S2: Extract the time series of the network data time series diagram through the frequent time series subsequence mining algorithm, and then mine the frequent time series subsequences through the extracted time series sequence to obtain the time series feature map of the network data;

S3:先选定不同时刻,通过图神经网络对时序特征图进行建模,提取不同时刻下的时序特征图的网络属性特征和网络结构特征,再使用长短路记忆模型,并结合提取的不同时刻时序特征图的特征提取时序特征图的网络变化特征;S3: Select different moments first, model the time-series feature map through the graph neural network, extract the network attribute features and network structure features of the time-series feature map at different moments, and then use the long-short-circuit memory model and combine the extracted different moments Feature extraction of time series feature map Network change characteristics of time series feature map;

S4:根据提取的网络属性特征、网络结构特征和网络变化特征,使用最大化全局表示向量和局部表示向量之间互信息的方式来进行表示向量的学习,得到时序特征图的表示向量;S4: According to the extracted network attribute features, network structure features and network change features, use the method of maximizing the mutual information between the global representation vector and the local representation vector to learn the representation vector, and obtain the representation vector of the time series feature map;

S5:使用数据流上的异常算法构建异常检测模型,再通过异常检测模型对时序特征图的表示向量进行异常检测,并给出异常分数,最后根据异常分数对动态网络进行风险预测。S5: Use the anomaly algorithm on the data stream to build an anomaly detection model, then use the anomaly detection model to detect anomalies in the representation vectors of the time series feature maps, and give anomalies scores, and finally predict the risk of the dynamic network based on the anomalies scores.

进一步改进在于:所述S1中,采用图像增强和图像变换的方式对网络数据时序图进行预处理的具体方式为:先采用高通滤波和低通滤波的方式对网络数据时序图进行频域增强,再采用傅里叶变换将网络数据时序图从空间域变换至频域。The further improvement is: in the above-mentioned S1, the specific method of preprocessing the network data sequence diagram by means of image enhancement and image transformation is: firstly, the network data sequence diagram is enhanced in the frequency domain by means of high-pass filtering and low-pass filtering, Then Fourier transform is used to transform the timing diagram of network data from space domain to frequency domain.

进一步改进在于:所述S3中,所述图神经网络为图卷积神经网络,提取网络属性特征和网络结构特征的具体步骤为:先通过图卷积神经网络模仿时序特征图上频率域的卷积操作,接着将时序特征图映射到频率空间,在频率空间进行卷积操作之后,再将时序特征图转换回节点空间,并提取出时序特征图的网络属性特征和网络结构特征。A further improvement is: in the S3, the graph neural network is a graph convolutional neural network, and the specific steps of extracting network attribute features and network structural features are: first imitating the convolution of the frequency domain on the time series feature map through the graph convolutional neural network. Product operation, and then map the time series feature map to the frequency space, after the convolution operation in the frequency space, then convert the time series feature map back to the node space, and extract the network attribute features and network structure features of the time series feature map.

进一步改进在于:所述S3中,提取网络变化特征的具体步骤为:使用长短路记忆循环神经网络来对时序特征图上序列的变化进行建模,该模型再使用长短记忆网络来提取时序特征图的网络变化特征。The further improvement is: in the above S3, the specific steps of extracting the network change feature are: using the long-short-circuit memory recurrent neural network to model the sequence change on the time-series feature map, and then using the long-short-circuit memory network to extract the time-series feature map characteristics of network changes.

进一步改进在于:所述S4中,进行表示向量学习的具体步骤为:通过一个读取函数从时序特征图上节点和边的表示向量中获得时序特征图的全局表示,再用最大化互信息的方式进行全局表示向量互信息和局部表示向量互信息的最大化训练,得到时序特征图的表示向量。Further improvement is: in the above-mentioned S4, the specific step of performing representation vector learning is: obtain the global representation of the time-series feature map from the representation vectors of nodes and edges on the time-series feature map through a read function, and then use the method of maximizing mutual information In this way, the mutual information of the global representation vector and the mutual information of the local representation vector are maximized, and the representation vector of the time series feature map is obtained.

进一步改进在于:所述S5中,构建异常检测模型过程中,从不同局域网上的电脑模拟的网络攻击场景中收集特定时间内的网络攻击数据作为数据集,将数据集中特定时间内前一半时间的数据作为训练集并训练模型,并将后一半时间的数据作为测试集来对模型进行测试。The further improvement lies in: in the above-mentioned S5, in the process of constructing the anomaly detection model, the network attack data in a specific time is collected from the network attack scenarios simulated by computers on different LANs as a data set, and the first half of the time in the data set is collected. The data is used as the training set to train the model, and the second half of the data is used as the test set to test the model.

进一步改进在于:所述S5中,异常检测模型采用鲁棒随机切割森林算法结合鲁棒随机划分森林的数据结构来对时序特征图的表示向量进行异常检测,并根据检测结果给出异常分数,最后根据异常分数进行动态网络的风险预测,并根据预测结果提前部署网络防御。The further improvement is: in the above S5, the anomaly detection model uses the robust random cut forest algorithm combined with the data structure of the robust random partition forest to perform anomaly detection on the representation vector of the time series feature map, and gives an abnormal score according to the detection result, and finally Perform dynamic network risk prediction based on anomaly scores, and deploy network defenses in advance based on the prediction results.

进一步改进在于:所述S5中,设定一个异常分数阀值,当给出的异常分数超出预设阀值则判定为存在异常风险,若给出的异常分数在预设阀值内则判定为无异常风险。A further improvement is: in the above S5, an abnormal score threshold is set, and when the given abnormal score exceeds the preset threshold, it is judged that there is an abnormal risk; if the given abnormal score is within the preset threshold, it is judged as No unusual risk.

本发明的有益效果为:本发明使用图神经网络对时序特征图进行建模,能够同时提取网络的结构特征和属性特征,从而能够挖掘出更多的异常情况,通过引入长短路记忆网络来对动态网络的变化进行建模,从而在风险预测工程中考虑了网络变化上的异常,进而提升了动态网络风险预测的准确度,并能够挖掘网络中存在的有实际意义的异常,且预测过程易于操作,可控性较高,相比传统的风险预测方法,不仅提高了风险预测效率,还提高了风险预测的准确度,给动态网络的风险预测带了实质性的帮助,便于用户针对网络风险提前部署网络防御,使网络安全得到极大程度上的提高。The beneficial effects of the present invention are: the present invention uses the graph neural network to model the time-series feature graph, and can extract the structural features and attribute features of the network at the same time, so that more abnormal situations can be excavated, and the long-short-circuit memory network can be introduced to Dynamic network changes are modeled, so that anomalies in network changes are considered in risk prediction engineering, thereby improving the accuracy of dynamic network risk prediction, and being able to mine meaningful anomalies in the network, and the prediction process is easy Operation and high controllability. Compared with traditional risk prediction methods, it not only improves the efficiency of risk prediction, but also improves the accuracy of risk prediction, which brings substantial help to the risk prediction of dynamic networks and facilitates users to target network risks. Deploy network defense in advance to greatly improve network security.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only These are some embodiments of the present invention. For those skilled in the art, other drawings can also be obtained according to these drawings without any creative effort.

图1是本发明的方法流程示意图。Fig. 1 is a schematic flow chart of the method of the present invention.

具体实施方式Detailed ways

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some, not all, embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without creative efforts fall within the protection scope of the present invention.

参见图1,本实施例提供了一种基于图神经网络的动态网络风险预测方法,包括以下步骤:Referring to Fig. 1, this embodiment provides a dynamic network risk prediction method based on a graph neural network, comprising the following steps:

S1:选定一个时间段,采用零拷贝的报文捕获技术在该时间段内对待预测的动态网络进行网络数据包捕获,再对网络数据包中数据进行标准化处理,然后利用标准化处理后的数据构建网络数据时序图,之后采用图像增强和图像变换的方式对网络数据时序图进行预处理;S1: Select a time period, use zero-copy packet capture technology to capture network data packets of the dynamic network to be predicted within this time period, and then standardize the data in the network data packets, and then use the standardized processed data Construct the network data sequence diagram, and then use image enhancement and image transformation to preprocess the network data sequence diagram;

采用图像增强和图像变换的方式对网络数据时序图进行预处理的具体方式为:先采用高通滤波和低通滤波的方式对网络数据时序图进行频域增强,通过图像增强的方式提高了网络数据时序图的清晰度,再采用傅里叶变换将网络数据时序图从空间域变换至频域,通过图像变化的方式使图像简洁有效,从而有助于后续的时序特征提取;The specific way to preprocess the network data sequence diagram by means of image enhancement and image transformation is as follows: first, the network data sequence diagram is enhanced in the frequency domain by means of high-pass filtering and low-pass filtering, and the network data is improved by image enhancement. The clarity of the timing diagram, and then use the Fourier transform to transform the timing diagram of the network data from the spatial domain to the frequency domain, and make the image concise and effective by changing the image, which is helpful for the subsequent timing feature extraction;

采用零拷贝的报文捕获技术对动态网络的数据包进行捕获,减少了数据拷贝次数,提高了更快的数据通路,并增加了网络吞吐率,从而对风险预测的效率起到了提高作用;The zero-copy packet capture technology is used to capture the data packets of the dynamic network, which reduces the number of data copies, improves the faster data path, and increases the network throughput, thus improving the efficiency of risk prediction;

S2:通过频繁时序子序列挖掘算法提取网络数据时序图的时序序列,再通过提取出的时序序列挖掘出频繁时序子序列,得到网络数据的时序特征图;S2: Extract the time series of the network data time series diagram through the frequent time series subsequence mining algorithm, and then mine the frequent time series subsequences through the extracted time series sequence to obtain the time series feature map of the network data;

S3:先选定不同时刻,通过图神经网络对时序特征图进行建模,提取不同时刻下的时序特征图的网络属性特征和网络结构特征,使用图神经网络对图数据进行建模,能够同时提取网络的结构特征和属性特征,能够挖掘出更多的异常情况,再使用长短路记忆模型,并结合提取的不同时刻时序特征图的特征提取时序特征图的网络变化特征,通过长短路记忆网络来对网络的变化进行建模,从而在风险预测的过程中考虑并加入了网络变化上的异常,进而提升了预测的准确度;S3: First select different times, model the time series feature map through the graph neural network, extract the network attribute characteristics and network structure features of the time series feature map at different times, and use the graph neural network to model the graph data, which can simultaneously Extracting the structural features and attribute features of the network can dig out more abnormal situations, and then use the long-short-circuit memory model, combined with the extracted features of the time-series feature maps at different times to extract the network change characteristics of the time-series feature maps, through the long-short-circuit memory network To model the change of the network, so that the abnormality of the network change is considered and added in the process of risk prediction, thereby improving the accuracy of the prediction;

所述图神经网络为图卷积神经网络,提取网络属性特征和网络结构特征的具体步骤为:先通过图卷积神经网络模仿时序特征图上频率域的卷积操作,接着将时序特征图映射到频率空间,在频率空间进行卷积操作之后,再将时序特征图转换回节点空间,并提取出时序特征图的网络属性特征和网络结构特征;The graph neural network is a graph convolutional neural network, and the specific steps for extracting network attribute features and network structural features are: first imitate the convolution operation in the frequency domain on the time series feature map through the graph convolution neural network, and then map the time series feature map to To the frequency space, after the convolution operation is performed in the frequency space, the time series feature map is converted back to the node space, and the network attribute features and network structure features of the time series feature map are extracted;

提取网络变化特征的具体步骤为:使用长短路记忆循环神经网络来对时序特征图上序列的变化进行建模,该模型再使用长短记忆网络来提取时序特征图的网络变化特征;The specific steps of extracting network change features are as follows: use the long-short-circuit memory recurrent neural network to model the sequence changes on the time-series feature map, and then use the long-short-term memory network to extract the network change features of the time-series feature map;

S4:根据提取的网络属性特征、网络结构特征和网络变化特征,使用最大化全局表示向量和局部表示向量之间互信息的方式来进行表示向量的学习,得到时序特征图的表示向量;S4: According to the extracted network attribute features, network structure features and network change features, use the method of maximizing the mutual information between the global representation vector and the local representation vector to learn the representation vector, and obtain the representation vector of the time series feature map;

进行表示向量学习的具体步骤为:通过一个读取函数从时序特征图上节点和边的表示向量中获得时序特征图的全局表示,再用最大化互信息的方式进行全局表示向量互信息和局部表示向量互信息的最大化训练,得到时序特征图的表示向量;The specific steps for learning the representation vector are: obtain the global representation of the time series feature map from the representation vectors of nodes and edges on the time series feature map through a read function, and then use the method of maximizing mutual information to perform global representation vector mutual information and local Represent vector mutual information maximization training to obtain the representation vector of the time series feature map;

S5:使用数据流上的异常算法构建异常检测模型,异常检测模型采用鲁棒随机切割森林算法结合鲁棒随机划分森林的数据结构来对时序特征图的表示向量进行异常检测,并根据检测结果给出异常分数,最后设定一个异常分数阀值,当给出的异常分数超出预设阀值则判定为存在异常风险,若给出的异常分数在预设阀值内则判定为无异常风险,并根据预测结果提前部署网络防御;S5: Use the anomaly algorithm on the data stream to build an anomaly detection model. The anomaly detection model uses the robust random cut forest algorithm combined with the data structure of the robust random partition forest to perform anomaly detection on the representation vector of the time series feature map, and give Finally, set an abnormal score threshold. When the given abnormal score exceeds the preset threshold, it is judged that there is an abnormal risk. If the given abnormal score is within the preset threshold, it is judged that there is no abnormal risk. And deploy network defense in advance according to the forecast results;

构建异常检测模型过程中,从不同局域网上的电脑模拟的网络攻击场景中收集特定时间内的网络攻击数据作为数据集,将数据集中特定时间内前一半时间的数据作为训练集并训练模型,并将后一半时间的数据作为测试集来对模型进行测试。In the process of building an anomaly detection model, network attack data within a certain period of time are collected from computer-simulated network attack scenarios on different LANs as a data set, and the data in the first half of a certain period of time in the data set is used as a training set to train the model, and The data in the second half of the time is used as the test set to test the model.

本实施例先采集网络数据并构建网络数据时序图,再提取网络数据时序图的时序序列并得到时序特征图,接着提取动态网络的网络属性特征、网络结构特征和网络变化特征,然后进行表示向量的学习并得到网络时序图的表示向量,最后构建异常检测模型并对动态网络进行风险预测,与现有的网络风险预测方法进行对比试验,结果表明本发明提出的风险预测方法相比现有的网络风险预测方法效率更高,结果更为准确,可以广泛推广应用。This embodiment first collects network data and constructs a network data timing diagram, then extracts the timing sequence of the network data timing diagram and obtains the timing feature diagram, then extracts the network attribute characteristics, network structure characteristics and network change characteristics of the dynamic network, and then performs the representation vector The study and obtain the representation vector of the network sequence diagram, and finally build an anomaly detection model and predict the risk of the dynamic network, and conduct a comparative test with the existing network risk prediction method, the results show that the risk prediction method proposed by the present invention is compared with the existing The network risk prediction method is more efficient, the results are more accurate, and can be widely promoted and applied.

以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included in the scope of the present invention. within the scope of protection.

Claims (4)

1.一种基于图神经网络的动态网络风险预测方法,其特征在于,包括以下步骤:1. A dynamic network risk prediction method based on graph neural network, characterized in that, comprising the following steps: S1:选定一个时间段,采用零拷贝的报文捕获技术在该时间段内对待预测的动态网络进行网络数据包捕获,再对网络数据包中数据进行标准化处理,然后利用标准化处理后的数据构建网络数据时序图,之后采用图像增强和图像变换的方式对网络数据时序图进行预处理;S1: Select a time period, use zero-copy packet capture technology to capture network data packets of the dynamic network to be predicted within this time period, and then standardize the data in the network data packets, and then use the standardized processed data Construct the network data sequence diagram, and then use image enhancement and image transformation to preprocess the network data sequence diagram; 所述S1中,采用图像增强和图像变换的方式对网络数据时序图进行预处理的具体方式为:先采用高通滤波和低通滤波的方式对网络数据时序图进行频域增强,再采用傅里叶变换将网络数据时序图从空间域变换至频域;In the above S1, the specific method of preprocessing the network data sequence diagram by means of image enhancement and image transformation is: firstly use high-pass filtering and low-pass filtering to perform frequency-domain enhancement on the network data sequence diagram, and then use Fourier The leaf transformation transforms the network data timing diagram from the spatial domain to the frequency domain; S2:通过频繁时序子序列挖掘算法提取网络数据时序图的时序序列,再通过提取出的时序序列挖掘出频繁时序子序列,得到网络数据的时序特征图;S2: Extract the time series of the network data time series diagram through the frequent time series subsequence mining algorithm, and then mine the frequent time series subsequences through the extracted time series sequence to obtain the time series feature map of the network data; S3:先选定不同时刻,通过图神经网络对时序特征图进行建模,提取不同时刻下的时序特征图的网络属性特征和网络结构特征,再使用长短路记忆模型,并结合提取的不同时刻时序特征图的特征提取时序特征图的网络变化特征;S3: Select different moments first, model the time-series feature map through the graph neural network, extract the network attribute features and network structure features of the time-series feature map at different moments, and then use the long-short-circuit memory model and combine the extracted different moments Feature extraction of time series feature map Network change characteristics of time series feature map; 所述S3中,提取网络变化特征的具体步骤为:使用长短路记忆循环神经网络来对时序特征图上序列的变化进行建模,该模型再使用长短记忆网络来提取时序特征图的网络变化特征;In the above S3, the specific steps of extracting network change features are: using the long-short-circuit memory recurrent neural network to model the sequence changes on the time-series feature map, and then using the long-short memory network to extract the network change features of the time-series feature map ; S4:根据提取的网络属性特征、网络结构特征和网络变化特征,使用最大化全局表示向量和局部表示向量之间互信息的方式来进行表示向量的学习,得到时序特征图的表示向量;S4: According to the extracted network attribute features, network structure features and network change features, use the method of maximizing the mutual information between the global representation vector and the local representation vector to learn the representation vector, and obtain the representation vector of the time series feature map; 所述S4中,进行表示向量学习的具体步骤为:通过一个读取函数从时序特征图上节点和边的表示向量中获得时序特征图的全局表示,再用最大化互信息的方式进行全局表示向量互信息和局部表示向量互信息的最大化训练,得到时序特征图的表示向量;In the above S4, the specific steps of performing representation vector learning are: obtain the global representation of the time series feature map from the representation vectors of nodes and edges on the time series feature map through a read function, and then perform the global representation by maximizing mutual information Maximize training of vector mutual information and local representation vector mutual information to obtain representation vectors of time series feature maps; S5:使用数据流上的异常算法构建异常检测模型,再通过异常检测模型对时序特征图的表示向量进行异常检测,并给出异常分数,最后根据异常分数对动态网络进行风险预测;S5: Use the anomaly algorithm on the data stream to build an anomaly detection model, then use the anomaly detection model to detect anomalies in the representation vectors of the time series feature maps, and give anomalies scores, and finally predict the risk of the dynamic network according to the anomalies scores; 所述S5中,异常检测模型采用鲁棒随机切割森林算法结合鲁棒随机划分森林的数据结构来对时序特征图的表示向量进行异常检测,并根据检测结果给出异常分数,最后根据异常分数进行动态网络的风险预测,并根据预测结果提前部署网络防御。In S5, the anomaly detection model uses the robust random cut forest algorithm combined with the data structure of the robust random partition forest to perform anomaly detection on the representation vector of the time series feature map, and gives an abnormal score according to the detection result, and finally performs Risk prediction of dynamic network, and deploy network defense in advance according to the prediction result. 2.根据权利要求1所述的一种基于图神经网络的动态网络风险预测方法,其特征在于:所述S3中,所述图神经网络为图卷积神经网络,提取网络属性特征和网络结构特征的具体步骤为:先通过图卷积神经网络模仿时序特征图上频率域的卷积操作,接着将时序特征图映射到频率空间,在频率空间进行卷积操作之后,再将时序特征图转换回节点空间,并提取出时序特征图的网络属性特征和网络结构特征。2. A kind of dynamic network risk prediction method based on graph neural network according to claim 1, is characterized in that: in described S3, described graph neural network is graph convolutional neural network, extracts network attribute feature and network structure The specific steps of the feature are: first imitate the convolution operation of the frequency domain on the time series feature map through the graph convolutional neural network, and then map the time series feature map to the frequency space, and then perform the convolution operation in the frequency space, and then convert the time series feature map to Back to the node space, and extract the network attribute features and network structure features of the time series feature map. 3.根据权利要求1所述的一种基于图神经网络的动态网络风险预测方法,其特征在于:所述S5中,构建异常检测模型过程中,从不同局域网上的电脑模拟的网络攻击场景中收集特定时间内的网络攻击数据作为数据集,将数据集中特定时间内前一半时间的数据作为训练集并训练模型,并将后一半时间的数据作为测试集来对模型进行测试。3. A kind of dynamic network risk prediction method based on graph neural network according to claim 1, characterized in that: in said S5, in the process of building an abnormality detection model, network attack scenarios simulated by computers on different local area networks Collect the network attack data within a certain period of time as a data set, use the data of the first half of the time in the data set as the training set and train the model, and use the data of the second half of the time as the test set to test the model. 4.根据权利要求1所述的一种基于图神经网络的动态网络风险预测方法,其特征在于:所述S5中,设定一个异常分数阀值,当给出的异常分数超出预设阀值则判定为存在异常风险,若给出的异常分数在预设阀值内则判定为无异常风险。4. A dynamic network risk prediction method based on graph neural network according to claim 1, characterized in that: in said S5, an abnormal score threshold is set, when the given abnormal score exceeds the preset threshold It is determined that there is an abnormal risk, and if the given abnormal score is within the preset threshold, it is determined that there is no abnormal risk.
CN202210861878.9A 2022-07-21 2022-07-21 Dynamic network risk prediction method based on graph neural network Active CN115208680B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202210861878.9A CN115208680B (en) 2022-07-21 2022-07-21 Dynamic network risk prediction method based on graph neural network
US18/318,882 US11934536B2 (en) 2022-07-21 2023-05-17 Dynamic network risk predicting method based on a graph neural network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210861878.9A CN115208680B (en) 2022-07-21 2022-07-21 Dynamic network risk prediction method based on graph neural network

Publications (2)

Publication Number Publication Date
CN115208680A CN115208680A (en) 2022-10-18
CN115208680B true CN115208680B (en) 2023-04-07

Family

ID=83584223

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210861878.9A Active CN115208680B (en) 2022-07-21 2022-07-21 Dynamic network risk prediction method based on graph neural network

Country Status (2)

Country Link
US (1) US11934536B2 (en)
CN (1) CN115208680B (en)

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116561688B (en) * 2023-05-09 2024-03-22 浙江大学 Emerging technology identification method based on dynamic graph anomaly detection
CN116305168B (en) * 2023-05-11 2023-07-18 北京双鑫汇在线科技有限公司 A multi-dimensional information security risk assessment method, system and storage medium
CN117195119A (en) * 2023-08-28 2023-12-08 微梦创科网络科技(中国)有限公司 A data quality detection method, device, electronic equipment and readable storage medium
CN117113148B (en) * 2023-08-30 2024-05-17 上海智租物联科技有限公司 Risk identification method, device and storage medium based on temporal graph neural network
CN117952564B (en) * 2024-03-22 2024-06-07 江西为易科技有限公司 Scheduling simulation optimization method and system based on progress prediction
CN118052558B (en) * 2024-04-15 2024-06-14 万联易达物流科技有限公司 Wind control model decision method and system based on artificial intelligence
CN118200047B (en) * 2024-05-14 2024-09-13 南昌大学 Network traffic anomaly detection method and system based on graph characterization
CN118428745A (en) * 2024-07-04 2024-08-02 北京科技大学 A method and system for predicting hidden dangers in chemical enterprises based on graph neural network
CN118428565B (en) * 2024-07-05 2024-11-15 杭州阿里巴巴海外互联网产业有限公司 Resource overdue prediction method and device, graph network restart method and device
CN119091195B (en) * 2024-08-12 2025-06-10 山东阳光新材料科技有限公司 Protection network abnormality detection system and method
CN119090155A (en) * 2024-11-11 2024-12-06 浙江东方职业技术学院 Adaptive learning content generation method for smart learning cloud platform
CN119669471B (en) * 2024-11-28 2025-09-23 上海交通大学 A text data classification and grading method based on dynamic graph neural network
CN119996999B (en) * 2024-12-23 2025-07-11 天津市邮电设计院有限责任公司 Wireless communication data security management method and system
CN120512302B (en) * 2025-07-17 2025-09-19 杭州融至兴科技有限公司 Network protection method and system based on attack and defense game model

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113516226A (en) * 2021-05-18 2021-10-19 长沙理工大学 A hybrid model multivariate time series anomaly detection method based on graph neural network
CN113852492A (en) * 2021-09-01 2021-12-28 南京信息工程大学 A network traffic prediction method based on attention mechanism and graph convolutional neural network

Family Cites Families (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10372910B2 (en) * 2016-06-20 2019-08-06 Jask Labs Inc. Method for predicting and characterizing cyber attacks
US12468951B2 (en) * 2018-06-12 2025-11-11 Ciena Corporation Unsupervised outlier detection in time-series data
US11562186B2 (en) * 2018-09-05 2023-01-24 Siemens Aktiengesellschaft Capturing network dynamics using dynamic graph representation learning
US11645293B2 (en) * 2018-12-11 2023-05-09 EXFO Solutions SAS Anomaly detection in big data time series analysis
US10673886B1 (en) * 2019-09-26 2020-06-02 Packetsled, Inc. Assigning and representing security risks on a computer network
US11312374B2 (en) * 2020-01-31 2022-04-26 International Business Machines Corporation Prediction of accident risk based on anomaly detection
WO2021257128A2 (en) * 2020-02-14 2021-12-23 Cornell University Quantum computing based deep learning for detection, diagnosis and other applications
CN111461907A (en) * 2020-03-13 2020-07-28 南京邮电大学 Dynamic network representation learning method oriented to social network platform
CN113225199A (en) * 2020-11-17 2021-08-06 中国人民解放军国防科技大学 Interactive behavior prediction method and device based on time sequence network mining and electronic equipment
CN113065974B (en) * 2021-03-16 2023-08-18 西北工业大学 A Link Prediction Method Based on Dynamic Network Representation Learning
CN113298634B (en) * 2021-04-26 2023-09-05 上海淇玥信息技术有限公司 User risk prediction method and device based on time sequence characteristics and graph neural network
CN115034596A (en) * 2022-06-01 2022-09-09 上海浦东发展银行股份有限公司 A risk transmission prediction method, device, equipment and medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113516226A (en) * 2021-05-18 2021-10-19 长沙理工大学 A hybrid model multivariate time series anomaly detection method based on graph neural network
CN113852492A (en) * 2021-09-01 2021-12-28 南京信息工程大学 A network traffic prediction method based on attention mechanism and graph convolutional neural network

Also Published As

Publication number Publication date
CN115208680A (en) 2022-10-18
US11934536B2 (en) 2024-03-19
US20240028744A1 (en) 2024-01-25

Similar Documents

Publication Publication Date Title
CN115208680B (en) Dynamic network risk prediction method based on graph neural network
CN111008337B (en) A deep attention rumor identification method and device based on ternary features
CN112700056A (en) Complex network link prediction method, complex network link prediction device, electronic equipment and medium
CN114726823B (en) Domain name generation method, device and equipment based on generation countermeasure network
CN113269228B (en) Method, device and system for training graph network classification model and electronic equipment
CN113094707A (en) Transverse mobile attack detection method and system based on heterogeneous graph network
CN112052940A (en) Social network feature dynamic extraction method based on vector compression and reconstruction
CN117579324B (en) Intrusion detection method based on gating time convolution network and graph
CN113901448A (en) Intrusion Detection Method Based on Convolutional Neural Network and Lightweight Gradient Boosting Machine
CN116633639B (en) Network intrusion detection method based on unsupervised and supervised fusion reinforcement learning
CN114862588A (en) Block chain transaction behavior-oriented anomaly detection method
CN113938290A (en) Website de-anonymization method and system for user side traffic data analysis
CN116318925A (en) Multi-CNN fusion intrusion detection method, system, medium, equipment and terminal
Hu et al. Data customization-based multiobjective optimization pruning framework for remote sensing scene classification
CN116170237B (en) Intrusion detection method fusing GNN and ACGAN
CN117318980A (en) A self-supervised learning malicious traffic detection method for small sample scenarios
CN116055224B (en) Encryption application program behavior flow detection method based on space-time hypergraph convolution
CN116418565B (en) A Domain Name Detection Method Based on Attribute Heterogeneous Graph Neural Network
CN112765313A (en) False information detection method based on original text and comment information analysis algorithm
CN115168859A (en) Black-box attack and defense method for API serial malware detection model
CN114861766A (en) Dynamic link prediction method and system based on multi-granularity evolution
Ahmad et al. Artificial neural network approaches to intrusion detection: a review
CN113066537A (en) Compound classification method based on graph neural network
CN119299172A (en) A deception defense system design method based on heterogeneous fusion
CN112001424A (en) Malicious software open set family classification method and device based on countermeasure training

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant